bitrat | ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
20/09/2023, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e07c4772a2687ee06a434ffef9572f.exe
Size

7.6MB
MD5

18e07c4772a2687ee06a434ffef9572f
SHA1

ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe
SHA256

ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8
SHA512

8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b
SSDEEP

196608:eMoIG1kQ7PENK4JQp9ny9MK07ZMCmPSxF:gJB7PGqKMKeBm4F

Score

10^/10

bitrat xenarmor password recovery trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

185.225.75.68:3569

Attributes

communication_password
0edcbe7d888380c49e7d1dcf67b6ea6e
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
XenArmor Suite
XenArmor is as suite of password recovery tools for various application.
recovery password xenarmor

Executes dropped EXE 4 IoCs

pid	Process
2272	state.exe
1832	state.exe
2992	state.exe
3068	state.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1276-58-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-60-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-64-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-66-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-68-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-69-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-67-0x0000000000400000-0x00000000008DC000-memory.dmp	upx
behavioral1/memory/1276-118-0x0000000000400000-0x00000000008DC000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
2576	18e07c4772a2687ee06a434ffef9572f.exe
2576	18e07c4772a2687ee06a434ffef9572f.exe
2576	18e07c4772a2687ee06a434ffef9572f.exe
2576	18e07c4772a2687ee06a434ffef9572f.exe
2576	18e07c4772a2687ee06a434ffef9572f.exe
1832	state.exe
3068	state.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1456 set thread context of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 2576 set thread context of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2272 set thread context of 1832	2272	state.exe	42
PID 2992 set thread context of 3068	2992	state.exe	51

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2668	schtasks.exe
1256	schtasks.exe
2452	schtasks.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	18e07c4772a2687ee06a434ffef9572f.exe
Token: SeShutdownPrivilege	2576	18e07c4772a2687ee06a434ffef9572f.exe
Token: SeDebugPrivilege	1832	state.exe
Token: SeShutdownPrivilege	1832	state.exe
Token: SeDebugPrivilege	3068	state.exe
Token: SeShutdownPrivilege	3068	state.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2576	18e07c4772a2687ee06a434ffef9572f.exe
2576	18e07c4772a2687ee06a434ffef9572f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2576	1456	18e07c4772a2687ee06a434ffef9572f.exe	28
PID 1456 wrote to memory of 2724	1456	18e07c4772a2687ee06a434ffef9572f.exe	29
PID 1456 wrote to memory of 2724	1456	18e07c4772a2687ee06a434ffef9572f.exe	29
PID 1456 wrote to memory of 2724	1456	18e07c4772a2687ee06a434ffef9572f.exe	29
PID 1456 wrote to memory of 2724	1456	18e07c4772a2687ee06a434ffef9572f.exe	29
PID 1456 wrote to memory of 2744	1456	18e07c4772a2687ee06a434ffef9572f.exe	33
PID 1456 wrote to memory of 2744	1456	18e07c4772a2687ee06a434ffef9572f.exe	33
PID 1456 wrote to memory of 2744	1456	18e07c4772a2687ee06a434ffef9572f.exe	33
PID 1456 wrote to memory of 2744	1456	18e07c4772a2687ee06a434ffef9572f.exe	33
PID 1456 wrote to memory of 2712	1456	18e07c4772a2687ee06a434ffef9572f.exe	32
PID 1456 wrote to memory of 2712	1456	18e07c4772a2687ee06a434ffef9572f.exe	32
PID 1456 wrote to memory of 2712	1456	18e07c4772a2687ee06a434ffef9572f.exe	32
PID 1456 wrote to memory of 2712	1456	18e07c4772a2687ee06a434ffef9572f.exe	32
PID 2744 wrote to memory of 2668	2744	cmd.exe	35
PID 2744 wrote to memory of 2668	2744	cmd.exe	35
PID 2744 wrote to memory of 2668	2744	cmd.exe	35
PID 2744 wrote to memory of 2668	2744	cmd.exe	35
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 2576 wrote to memory of 1276	2576	18e07c4772a2687ee06a434ffef9572f.exe	38
PID 1276 wrote to memory of 2192	1276	18e07c4772a2687ee06a434ffef9572f.exe	39
PID 1276 wrote to memory of 2192	1276	18e07c4772a2687ee06a434ffef9572f.exe	39
PID 1276 wrote to memory of 2192	1276	18e07c4772a2687ee06a434ffef9572f.exe	39
PID 1276 wrote to memory of 2192	1276	18e07c4772a2687ee06a434ffef9572f.exe	39
PID 1648 wrote to memory of 2272	1648	taskeng.exe	41
PID 1648 wrote to memory of 2272	1648	taskeng.exe	41
PID 1648 wrote to memory of 2272	1648	taskeng.exe	41
PID 1648 wrote to memory of 2272	1648	taskeng.exe	41
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 1832	2272	state.exe	42
PID 2272 wrote to memory of 3024	2272	state.exe	43
PID 2272 wrote to memory of 3024	2272	state.exe	43
PID 2272 wrote to memory of 3024	2272	state.exe	43
PID 2272 wrote to memory of 3024	2272	state.exe	43
PID 2272 wrote to memory of 2932	2272	state.exe	44
PID 2272 wrote to memory of 2932	2272	state.exe	44
PID 2272 wrote to memory of 2932	2272	state.exe	44
PID 2272 wrote to memory of 2932	2272	state.exe	44

C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
"C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
  "C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
    -a "C:\Users\Admin\AppData\Local\f9be9104\plg\E1BbseDv.json"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe
      -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
      4⤵
      PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"
  2⤵
  PID:2724
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\18e07c4772a2687ee06a434ffef9572f.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"
  2⤵
  PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:2668

C:\Windows\system32\taskeng.exe
taskeng.exe {E51CC7D2-BCA9-4388-BD69-1A6EB681DCCC} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\state\state.exe
  C:\Users\Admin\AppData\Roaming\state\state.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Users\Admin\AppData\Roaming\state\state.exe
    "C:\Users\Admin\AppData\Roaming\state\state.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
    3⤵
    PID:2932
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\state\state.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"
    3⤵
    PID:2980
- C:\Users\Admin\AppData\Roaming\state\state.exe
  C:\Users\Admin\AppData\Roaming\state\state.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2992
- - C:\Users\Admin\AppData\Roaming\state\state.exe
    "C:\Users\Admin\AppData\Roaming\state\state.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\state"
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
    3⤵
    PID:1552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\state\state.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:2452
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\state\state.exe" "C:\Users\Admin\AppData\Roaming\state\state.exe"
    3⤵
    PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\f9be9104\plg\E1BbseDv.json

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
7.6MB

MD5
18e07c4772a2687ee06a434ffef9572f

SHA1
ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe

SHA256
ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

SHA512
8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
7.6MB

MD5
18e07c4772a2687ee06a434ffef9572f

SHA1
ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe

SHA256
ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

SHA512
8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
7.6MB

MD5
18e07c4772a2687ee06a434ffef9572f

SHA1
ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe

SHA256
ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

SHA512
8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
7.6MB

MD5
18e07c4772a2687ee06a434ffef9572f

SHA1
ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe

SHA256
ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

SHA512
8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

Download Submit
C:\Users\Admin\AppData\Roaming\state\state.exe

Filesize
7.6MB

MD5
18e07c4772a2687ee06a434ffef9572f

SHA1
ff1a7e4f53efdbd0935bcf8a8dac338ea96c9dbe

SHA256
ef509cb0a60d929e4f0acd3696e724397dc8113170df0ef478ea2afaae7800d8

SHA512
8795a49d7c5993f24a290e9d5f9299871af4ffd51a66b0656bf0057cdc15b1286350aae55be7b69cec660df1353f5a4dffdc08004a1b447b1b75e5645ac6188b

Download Submit
memory/1276-66-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-68-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-64-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-69-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-56-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-67-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-60-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-58-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1276-118-0x0000000000400000-0x00000000008DC000-memory.dmp

Filesize
4.9MB

Download
memory/1456-0-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-17-0x00000000745A0000-0x0000000074C8E000-memory.dmp

Filesize
6.9MB

Download
memory/1456-3-0x0000000006C20000-0x00000000073AA000-memory.dmp

Filesize
7.5MB

Download
memory/1456-2-0x0000000004B20000-0x0000000004B60000-memory.dmp

Filesize
256KB

Download
memory/1456-1-0x0000000000B70000-0x000000000130E000-memory.dmp

Filesize
7.6MB

Download
memory/1832-152-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2272-129-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2272-130-0x00000000008B0000-0x000000000104E000-memory.dmp

Filesize
7.6MB

Download
memory/2272-131-0x00000000050A0000-0x00000000050E0000-memory.dmp

Filesize
256KB

Download
memory/2272-147-0x0000000074110000-0x00000000747FE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-32-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-35-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-36-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-38-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-39-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-43-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2576-44-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2576-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-30-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2576-29-0x0000000000090000-0x000000000009A000-memory.dmp

Filesize
40KB

Download
memory/2576-28-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-27-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-25-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-23-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-21-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-120-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-121-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-124-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-11-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-10-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-9-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-8-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-6-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-5-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2576-4-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2992-175-0x00000000012A0000-0x0000000001A3E000-memory.dmp

Filesize
7.6MB

Download
memory/2992-176-0x0000000001230000-0x0000000001270000-memory.dmp

Filesize
256KB

Download
memory/2992-174-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2992-197-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads